The Asterisk project does not produce or work on the underlying tools the project uses, such as JIRA and Gerrit. For security vulnerabilities found in these the report should be directed to the company or project that creates it. We will however accept reports related to the configuration of those tools.
The Asterisk Issue Tracker is a public site, and all bug reports against Asterisk can be viewed openly by the public. While this results in a transparent, open process - which is good - reporting a security vulnerability on the issue tracker without properly selecting the "Security" issue type makes the entire Asterisk user community vulnerable.
The "Security" issue type will automatically lock down the issue so it can only be viewed by the reporter and bug marshals. If you have any difficulties with that we'll help; please follow the instructions here and e-mail the team at firstname.lastname@example.org.